Nastiest malware of 2018: Top attack payloads wreaking havoc

Webroot highlights the top cyberattacks of 2018 in its latest nastiest malware list, which showcases the malware and attack payloads that have been most detrimental to organisations and consumers alike.

Three nastiest: Botnets and banking trojans

Emotet is this year’s nastiest botnet that delivers banking Trojans. It aspires to increase the number of zombies in its spam botnet, with a concentration on credential gathering. Threat actors have recently developed a universal plug and play (UPnP) module that allows Emotet to turn victims’ routers into potential proxy nodes for their command-and-control infrastructure.

Trickbot follows a similar attack plan, but contains additional modules (with more added each day) and has even been seen dropping ransomware. Imagine all of the machines in your network being encrypted at once!

Zeus Panda has similar functionality to Trickbot, but has more interesting distribution methods including macro-enabled Word documents, exploit kits and even compromised remote monitoring and management services.

Three nastiest: Cryptomining and cryptojacking

GhostMiner’s distribution method is the scariest part for its victims because they don’t know its entry point, similar to a scary movie where you know someone’s in the house but you don’t know where. GhostMiner is most commonly seen being distributed via an exploit in Oracle WebLogic (CVE-2018-2628).

Coinhive, initially innocent, was quickly added to the standard toolkit for attackers compromising websites. Even legitimate website owners are using Coinhive without knowing the impact it will have on their visitors. If your computer processing power (CPU) spikes to 100 percent when simply visiting a website, it might be Coinhive.

Three nastiest: Ransomware

Crysis/Dharma goes hand in hand with the term “compromised RDP.” This ransomware has been evolving to remain one of the top dogs of the ransomware as a service (RaaS) world and specifically targets the RDP vector. System administrators consistently return to work after a weekend to find one or more of their machines encrypted, usually without knowing the source.

GandCrab is yet another RaaS. It is especially nasty, as it is distributed via malspam campaigns, exploit kits, and RDP. Another interesting fact is that it uses the .bit TLD (top level domain), not sanctioned by ICANN, providing an added level of secrecy.

SamSam, initially distributed via a JBoss exploit, soon turned to RDP and is now bringing down entire cities (or portions of them at least). You’ve likely seen these attacks in the news for taking down the city of Atlanta or the Colorado Department of Transportation.